# FLARE VM - Malware Analysis Edition 

Write-BoxstarterMessage "  ______ _               _____  ______   __      ____  __ "
Write-BoxstarterMessage " |  ____| |        /\   |  __ \|  ____|  \ \    / /  \/  |"
Write-BoxstarterMessage " | |__  | |       /  \  | |__) | |__ _____\ \  / /| \  / |"
Write-BoxstarterMessage " |  __| | |      / /\ \ |  _  /|  __|______\ \/ / | |\/| |"
Write-BoxstarterMessage " | |    | |____ / ____ \| | \ \| |____      \  /  | |  | |"
Write-BoxstarterMessage " |_|    |______/_/    \_\_|  \_\______|      \/   |_|  |_|"
Write-BoxstarterMessage "      M A L W A R E   A N A L Y S I S   E D I T I O N     "
Write-BoxstarterMessage "                                                          "
Write-BoxstarterMessage "                         Version  1.0                     "
Write-BoxstarterMessage "  ________________________________________________________"
Write-BoxstarterMessage "                         Developed by                     "
Write-BoxstarterMessage "                      Peter Kacherginsky                  "
Write-BoxstarterMessage "       FLARE (FireEye Labs Advanced Reverse Engineering)  "
Write-BoxstarterMessage "  _______________________________________________________ "
Write-BoxstarterMessage "                                                          "
Write-BoxstarterMessage "This download configuration script is provided to assist cyber security analysts"
Write-BoxstarterMessage "in creating handy and versatile toolboxes for malware analysis environments. It"
Write-BoxstarterMessage "provides a convenient interface for them to obtain a useful set of analysis"
Write-BoxstarterMessage "tools directly from their original sources. Installation and use of this script"
Write-BoxstarterMessage "is subject to the Apache 2.0 License."
Write-BoxstarterMessage " "
Write-BoxstarterMessage "You as a user of this script must review, accept and comply with the license"
Write-BoxstarterMessage "terms of each downloaded/installed package listed below. By proceeding with the"
Write-BoxstarterMessage "installation, you are accepting the license terms of each package, and"
Write-BoxstarterMessage "acknowledging that your use of each package will be subject to its respective"
Write-BoxstarterMessage "license terms."
Write-BoxstarterMessage ""
Write-BoxstarterMessage "List of package licenses:"
Write-BoxstarterMessage ""
Write-BoxstarterMessage "http://www.ollydbg.de/download.htm, http://www.ollydbg.de/download.htm,"
Write-BoxstarterMessage "https://github.com/x64dbg/x64dbg/blob/development/LICENSE,"
Write-BoxstarterMessage "http://go.microsoft.com/fwlink/?LinkID=251960,"
Write-BoxstarterMessage "https://www.hex-rays.com/products/ida/support/download_freeware.shtml,"
Write-BoxstarterMessage "https://docs.binary.ninja/about/license/#demo-license,"
Write-BoxstarterMessage "https://github.com/icsharpcode/ILSpy/blob/master/doc/license.txt,"
Write-BoxstarterMessage "https://github.com/0xd4d/dnSpy/blob/master/dnSpy/dnSpy/LicenseInfo/GPLv3.txt,"
Write-BoxstarterMessage "https://www.jetbrains.com/decompiler/download/license.html,"
Write-BoxstarterMessage "https://github.com/0xd4d/de4dot/blob/master/LICENSE.de4dot.txt,"
Write-BoxstarterMessage "http://www.oracle.com/technetwork/java/javase/terms/license/index.html,"
Write-BoxstarterMessage "https://github.com/java-decompiler/jd-gui/blob/master/LICENSE,"
Write-BoxstarterMessage "https://www.vb-decompiler.org/license.htm, http://kpnc.org/idr32/en/,"
Write-BoxstarterMessage "https://www.free-decompiler.com/flash/license/,"
Write-BoxstarterMessage "https://www.mcafee.com/hk/downloads/free-tools/fileinsight.aspx,"
Write-BoxstarterMessage "https://mh-nexus.de/en/hxd/license.php,"
Write-BoxstarterMessage "https://www.sweetscape.com/010editor/manual/License.htm,"
Write-BoxstarterMessage "http://www.ntcore.com/exsuite.php, http://wjradburn.com/software/,"
Write-BoxstarterMessage "http://ntinfo.biz, https://www.sublimetext.com,"
Write-BoxstarterMessage "https://github.com/notepad-plus-plus/notepad-plus-plus/blob/master/LICENSE,"
Write-BoxstarterMessage "http://vimdoc.sourceforge.net/htmldoc/uganda.html,"
Write-BoxstarterMessage "http://www.gnu.org/licenses/gpl-2.0.html,"
Write-BoxstarterMessage "https://raw.githubusercontent.com/ferventcoder/checksum/master/LICENSE,"
Write-BoxstarterMessage "http://www.7-zip.org/license.txt,"
Write-BoxstarterMessage "http://www.chiark.greenend.org.uk/~sgtatham/putty/licence.html,"
Write-BoxstarterMessage "http://www.gnu.org/copyleft/gpl.html,"
Write-BoxstarterMessage "https://cdn.rawgit.com/iggi131/packages/master/RawCap/license.txt,"
Write-BoxstarterMessage "https://www.gnu.org/copyleft/gpl.html,"
Write-BoxstarterMessage "http://upx.sourceforge.net/upx-license.html,"
Write-BoxstarterMessage "http://technet.microsoft.com/en-us/sysinternals/bb469936,"
Write-BoxstarterMessage "http://www.rohitab.com/apimonitor,"
Write-BoxstarterMessage "http://whiteboard.nektra.com/spystudio/spystudio_license,"
Write-BoxstarterMessage "http://www.slavasoft.com/hashcalc/license-agreement.htm,"
Write-BoxstarterMessage "http://www.gnu.org/licenses/gpl-2.0.html,"
Write-BoxstarterMessage "http://www.techworld.com/download/portable-applications/microsoft-offvis-11-3214034/,"
Write-BoxstarterMessage "http://exeinfo.atwebpages.com,"
Write-BoxstarterMessage "https://www.python.org/download/releases/2.7/license/,"
Write-BoxstarterMessage "https://www.microsoft.com/en-us/download/details.aspx?id=44266,"
Write-BoxstarterMessage "https://raw.githubusercontent.com/IntelliTect/Licenses/master/WindowsManagementFramework.txt,"
Write-BoxstarterMessage "http://msdn.microsoft.com/en-US/cc300389.aspx,"
Write-BoxstarterMessage "https://raw.githubusercontent.com/chocolatey/choco/master/LICENSE"


###############################################################################
# Configure system
###############################################################################
        
# Boxstarter options
$Boxstarter.RebootOk=$true # Allow reboots?
$Boxstarter.NoPassword=$false # Is this a machine with no login password?
$Boxstarter.AutoLogin=$true # Save my password securely and auto-login after a reboot

# Basic setup
Update-ExecutionPolicy Unrestricted
Disable-MicrosoftUpdate
Set-WindowsExplorerOptions -EnableShowProtectedOSFiles -EnableShowFileExtensions
Set-TaskbarOptions -Size Small
Disable-BingSearch

###############################################################################
# Install Chocolatey packages
###############################################################################

# Configure FLARE chocolatey feed
$flare = "https://www.myget.org/F/flare/api/v2"

###############################################################################
# Install packages

# Set up Chocolatey
cinst chocolatey              # Install chocolatey base package
if (Test-PendingReboot) { Invoke-Reboot }
cmd.exe /c choco sources add -n=flare -s "https://www.myget.org/F/flare/api/v2" --priority 1
cmd.exe /c choco feature enable -n allowGlobalConfirmation
cmd.exe /c choco feature enable -n allowEmptyChecksums

cinst flarevm -s $flare       # FLARE VM specific configurations

# Packages requiring reboot
cinst powershell
cinst dotnet4.6.2

# Debuggers
cinst ollydbg -s $flare       # OllyDbg 1.10
cinst ollydbg.ollydump -s $flare    # OllyDump plugin
cinst ollydbg.ollydumpex -s $flare  # OllyDumpEx plugin

cinst ollydbg2 -s $flare      # OllyDbg 2.0
cinst ollydbg2.ollydumpex -s $flare # OllyDumpEx plugin

cinst x64dbg -s $flare           # x64dbg
cinst windbg -s $flare           # WinDbg x86, x64, .NET
cinst windbg.kenstheme -s $flare # Ken's WinDbg theme
cinst windbg.ollydumpex -s $flare # OllyDumpEx plugin
cinst windbg.pykd -s $flare

# Disassemblers
cinst idafree       -s $flare   # IDA Free
cinst binaryninja   -s $flare   # Binary Ninja Demo

# .NET
cinst ilspy         -s $flare   # ILSpy
cinst dnspy         -s $flare   # dnSpy
cinst dotpeek       -s $flare   # dotPeek
cinst de4dot        -s $flare   # de4dot

# Java
cinst javaruntime               # JRE
cinst jd-gui        -s $flare   # JD-GUI

# VB
cinst vbdecompiler  -s $flare   # VB Decompiler Lite

# Delphi
cinst idr.small     -s $flare   # IDR (small edition)

# Flash
cinst ffdec         -s $flare   # FFDec

# Hex Editors
cinst fileinsight   -s $flare   # FileInsight
cinst hxd           -s $flare   # HxD
cinst 010editor     -s $flare   # 010 Editor

# PE
cinst peid          -s $flare   # PEiD
cinst explorersuite -s $flare   # CFF Explorer
cinst peview        -s $flare   # PEview
cinst die           -s $flare   # DIE
cinst pestudio      -s $flare   # PEStudio

# Text Editors
cinst --ignore-checksums sublimetext3            # Sublime Text 3
cinst --ignore-checksums notepadplusplus         # NotePad++
cinst --ignore-checksums vim                     # Vim

# Utilities
cinst unxutils                     # Unix Utils
cinst checksum                     # Hash Calculator
cinst 7zip.install                 # 7-Zip
cinst putty                        # Putty
#cinst npcap                        # Npcap NOTE: Breaks WinDivert
cinst wireshark.flare -s $flare    # WireShark
cinst rawcap                       # RawCap
cinst wget                         # Wget
cinst upx                          # UPX
cinst sysinternals.flare -s $flare # Sysinternals wrapper
cinst apimonitor -s $flare         # API Monitor
cinst spystudio.flare -s $flare    # SpyStudio
cinst hashcalc -s $flare           # HashCalc
cinst regshot -s $flare            # RegShot
cinst exeinfope -s $flare          # ExeInfo PE

# Office
cinst offvis  -s $flare            # OffVis
cinst officemalscanner -s $flare   # OfficeMalScanner

# Android
cinst apktool -s $flare            # ApkTool

# Python
cinst python2 --package-parameters '/InstallDir:"C:\Program Files\Python27"' # Python 2.7 - Using private version
cinst python -s $flare --version 2.7.13
choco pin add -n=python --version 2.7.13

cinst vcpython27            # Microsoft Visual C++ Compiler for Python 2.7

# PyKD requires installation of 32-bit Python in 64-bit systems in order to function properly
if(Get-OSArchitectureWidth -Compare 64) {
    cinst python2.nopath -s $flare --x86 --package-parameters '/InstallDir:"C:\Program Files (x86)\Python27"'
}

# Python Modules
cinst hexdump   -source python
cinst pefile    -source python
cinst winappdbg -source python
cinst pycrypto  -source python # Cryptographic modules for Python
cinst cryptography -source python # Cryptography for humans
cinst https://github.com/williballenthin/vivisect/zipball/master     -source python # Vivisect

# Python Tools
cinst oletools -source python # Python tools to analyze OLE and MS Office files
cinst fakenet-ng.python -s $flare # FakeNet-NG
cinst floss.python -s $flare      # FLOSS
cinst https://github.com/fireeye/flare-qdb/zipball/master            -source python # FLARE-QDB

# Visual C++ Redistributable Packages
cinst vcredist2008
cinst vcredist2010
cinst vcredist2012
cinst vcredist2013

